NordPass popular passwords, Healthcare extortion sentence, China breached telecoms - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines – Detailed Summary

Episode Title: NordPass popular passwords, Healthcare extortion sentence, China breached telecoms
Host: Steve Prentice, CISO Series
Release Date: November 15, 2024

1. China Threat Actors Breach U.S. Telecoms

In the opening segment, Steve Prentice highlights a significant national security concern involving Chinese threat actors. According to the FBI and Cybersecurity and Infrastructure Security Agency (CISA), a large-scale cyber espionage campaign spearheaded by China-linked groups targeted U.S. telecom providers in October 2024.

"China threat actors breached U.S. broadband providers to spy on U.S. government officials," [00:00] Prentice reports.

The compromised telecom networks were exploited to steal call records and access private communications, predominantly affecting government and political figures. The threat group identified is Salt Typhoon, distinct from the similarly named Vault Typhoon. This breach is under intense investigation due to its implications for national security.

"This attack has been attributed to Salt Typhoon, a group that is different from Vault Typhoon. The breach has been described as a major national security risk," [00:00] Prentice adds.

As this story is still developing, Prentice emphasizes the ongoing nature of the investigation and its potential impact on U.S. national security.

2. NordPass Reveals Disappointing Password Trends

Steve Prentice transitions to discussing the latest report from NordPass, a prominent password manager and sister company of NordVPN. For the sixth consecutive year, NordPass has published its list of the 200 most common passwords, unveiling concerning trends in password security.

"People are really bad at choosing hard to crack passwords," [00:03] Prentice comments on the findings.

The top spot remains dominated by variations of "123456," followed by "QWERTY" and single-word passwords like "password" and "secret." These weak passwords can be cracked in less than a second, posing significant security risks.

NordPass derived its list from a massive 2.5 terabyte database encompassing personal and professional passwords sourced globally, including the Dark Web. The analysis revealed that many passwords were obtained through malware or data breaches, with leaked email addresses aiding in distinguishing between personal and business usage.

"There really hasn't been any improvement over these past six years," [00:03] Prentice notes the stagnation in password security practices.

Prentice directs listeners to the show notes for a link to the full NordPass report, underscoring the importance of strong password practices.

3. US Healthcare Extortionist Receives 10-Year Prison Sentence

The episode covers the sentencing of Robert Purbeck, a 45-year-old man from Idaho, who was convicted for a significant healthcare extortion scheme.

"Robert Purbeck has now been sentenced to 10 years in prison for hacking at least 19 organizations in the United States," [00:06] Prentice outlines the case.

Purbeck executed his scheme by purchasing unauthorized access to computer servers of a medical clinic in Georgia via a darknet marketplace in 2017. This breach allowed him to steal personal data of over 43,000 individuals, including sensitive information like names, addresses, and Social Security numbers. His activities expanded the following year to include access to a Georgia-based police department server, compromising data of an additional 14,000 people.

Utilizing the stolen information, Purbeck engaged in extortion by threatening to release the compromised data unless ransoms were paid. His actions affected 19 organizations and over 132,000 individuals.

"He has now been sentenced to 10 years in prison along with three years of supervised release and the obligation to pay his victims over $1 million in restitution," [00:06] Prentice concludes the segment.

This case highlights the severe legal repercussions for cybercriminals involved in data theft and extortion.

4. Microsoft Power Pages Misconfiguration Leads to Massive Data Exposure

Steve Prentice brings attention to a critical security lapse in Microsoft Power Pages, a tool designed to streamline website creation and data integration for businesses. According to a blog post from AppOmny, improper management of security controls has resulted in millions of records being left accessible to the public internet.

The misconfiguration involved the role-based access control (RBAC) model used by Power Pages. Assigning excessive permissions to roles such as anonymous users (unauthenticated visitors) and authenticated users (logged-in visitors) inadvertently exposed sensitive data. This oversight has potentially exposed employee information and internal files to unauthorized access.

Prentice underscores the importance of meticulous security configuration to prevent such widespread data leaks, urging organizations to review and enforce stringent access controls within their systems.

5. Strela Stealer Malware Resurgence in Europe

The discussion moves to the resurgence of Strela Stealer malware, particularly in Spain, Germany, and Ukraine. The group behind these attacks, identified as Hive0145, employs phishing emails masquerading as legitimate invoice notifications to infect targets.

"Hive0145 is the tool's sole operator," [00:09] Prentice cites IBM X-Force researchers.

Initially, Hive0145 utilized fabricated accounts to send fake invoices and receipts. However, they have recently shifted tactics by leveraging stolen emails from real entities across various sectors, including financial technology, manufacturing, media, and e-commerce. This evolution in their approach enhances the sophistication and effectiveness of their phishing campaigns, making detection and prevention more challenging.

Prentice highlights the adaptability of cybercriminals and the need for continuous vigilance against evolving malware threats.

6. Hackers Employ Macros Extended File Attributes to Conceal Malicious Code

Innovative malware delivery techniques are also covered, with a focus on the RustyATR Trojan. Hackers are exploiting Extended Attributes (EAs) in macros files to hide malicious code, thereby evading traditional detection methods.

"Threat actors hide malicious code in custom file metadata and also use decoy PDF documents to help evade detection," [00:10] Prentice explains.

The process involves embedding shell scripts within the EA name "test," which are not directly visible through standard file browsing tools. Additionally, these attacks often deploy decoy PDF files or prompt error dialogues to distract and mislead security systems and users.

This method underscores the increasing complexity of malware concealment strategies, necessitating advanced security measures to identify and neutralize such threats.

7. Malware Delivered via Postal Mail in Switzerland

In a novel delivery method, Swiss Federal Office for Cybersecurity has issued warnings about malware being disseminated through traditional postal mail. Letters purportedly from Meteo Swiss, the country's meteorological agency, contain printed QR codes that link to malicious downloads.

"These postal letters... are being used to spread malware," [00:10] Prentice reports.

Recipients who scan the QR codes are directed to download The Stealer malware, specifically Coper and Octo2 variants, which are designed to extract login details from over 383 mobile applications, including e-banking services. While sending malware via postal mail is uncommon due to the logistical overhead of postage, this tactic exemplifies the lengths to which cybercriminals will go to infiltrate systems.

Prentice emphasizes the importance of skepticism towards unsolicited postal communications and the need for robust security practices to mitigate such unconventional attack vectors.

Upcoming Episode: Week in Review with Brett Conlon

Steve Prentice concludes the episode by announcing the upcoming "Week in Review" show featuring Brett Conlon, CISO at American Century Investments. Scheduled for later the same day at 3:30 PM Eastern, the show will offer expert commentary on the week's cybersecurity news. Listeners are encouraged to participate and share their comments via the CISO Series YouTube live channel by registering on the events page.

"Make sure to join us later today at 3:30pm Eastern for our Week in Review show," [00:12] Prentice invites listeners.

Conclusion

This episode of Cyber Security Headlines provides a comprehensive overview of critical developments in the information security landscape, ranging from state-sponsored espionage to evolving cybercriminal tactics. By highlighting recent breaches, password security issues, and innovative malware delivery methods, host Steve Prentice offers valuable insights for cybersecurity professionals and enthusiasts alike. For more in-depth stories, listeners are encouraged to visit CISOseries.com.

Loading summary

Transcript1 lines

[00:00]
Steve Prentice
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Friday, November 15, 2024. I'm Steve Prentice. China threat actors breached U.S. broadband providers to spy on U.S. government officials a large scale cyber espionage campaign by China linked threat actors is being investigated by the FBI and cisa. The target of the attack was US Telecoms, whose networks were compromised by the threat actors in October to steal call records and access private communications, mainly off government and political figures. This attack has been attributed to Salt Typhoon, a group that is different from Vault Typhoon. The breach has been described as a major national security risk and this is a developing story 123456 tops the list of most popular passwords again NordPass, maker of a password manager and sister company of NordVPN, has announced its list of the 200 most common passwords and the results are disappointing in this sixth year of publishing. Its list derived from a 2.5 terabyte database of passwords personal and professional from around the world, including the Dark Web. There is just one single People are really bad at choosing hard to crack passwords. The list this year contains variations on the 123456 theme as well as variations on QWERTY and single word passwords like password and secret, all of which can be cracked in less than a second. The personal and corporate passwords analyzed by NordPass were stolen by malware or exposed in data breaches. In most cases, the email addresses were leaked along with the passwords, helping NordPass determine which ones were for personal and which ones were for business use. Again, the company states that there really hasn't been any improvement over these past six years. A link to the NordPass report is available in the show Notes to this episode. Hacker gets 10 years in prison for US healthcare extortion scheme a 45 year old man from Idaho, Robert Purbeck, has now been sentenced to 10 years in prison for hacking at least 19 organizations in the United States, stealing the personal data of more than 132,000 people, along with multiple extortion attempts. He was able to do this by buying network access to a computer server of a medical clinic in Georgia in 2017 through a darknet marketplace. He then leveraged his access to steal the personally identifiable information of 43,000 individuals, including their names, addresses and Social Security numbers. The following year he purchased access to a Georgia based police department server which enabled him to steal reports, documents and PII of 14,000 people after hacking into the City of Nunans systems. These activities allowed him to go on a campaign of sorts, threatening individuals with the release of their data if ransoms were not paid. He has now been sentenced to 10 years in prison along with three years of supervised release and the obligation to pay his victims over $1 million in restitution, thanks to today's episode's sponsor, ThreatLocker Do Zero Day Exploits and supply chain attacks keep you up at night? Well, worry no more. You can harden your security with Threat Locker. Threat Locker helps you take a proactive default deny approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation are fully supported by their US based support team. To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit threatlocker.com that is T H R E A T L O C K E R Misconfiguration in Microsoft Power Pages leads to data exposure According to a blog post from Appomny, Microsoft Power Pages, which was designed to simplify website creation and data integration for businesses, has left millions of records, including employee information and internal files, accessible to the public Internet. The cause for this lapse is being attributed to mismanagement of its security controls. According to the report, Power Pages uses a role based access control model to manage user access levels. However, assigning too many permissions to roles like anonymous users, which are unauthenticated visitors, and authenticated users which are logged in visitors can expose organizations to unintended data leaks. Strela Stealer malware reappears in Spain, Germany and Ukraine. A group known as hive0145 has been infecting targets with strela stealer malware that is straight delivered through phishing emails disguised as legitimate invoice notifications. What is worthy of note in this particular situation is that, according to researchers at IBM X Force, whereas the group initially relied on fake invoices and receipts sent from fabricated accounts, they have recently begun weaponizing stolen emails from real entities in the financial technology, manufacturing, media, e commerce and other sectors. It is, however, believed by the researchers that Hive0145 is the tool's sole operator. Hackers use macros Extended File Attributes to hide malicious code. This new technique abuses extended attributes for macros files in order to deliver a new Trojan that researchers call RustyATR. In this procedure, threat actors hide malicious code in custom file metadata and also use decoy PDF documents to help evade detection. APIs Extended Attributes, otherwise known as EAs, handle hidden metadata, which is most often associated with files and directories and is not directly visible with finder. In the case of rusty ATTR attacks, the EA name is test and holds a shell script to avoid detection. During this process, some samples launch decoy PDF files or display error dialogues in Switzerland, Malware Now Arrives by Postal Mail Switzerland's Federal Office for Cybersecurity has issued a warning about letters being sent via regular post that pretend to be from the country's meteorological agency, Meteo Swiss, and which are being used to spread malware. These postal letters, with dates up to November 12, appear to offer access to a new weather app via a printed QR code inside the envelope. In reality, this link downloads The Stealer malware, Coper and Octo2, which seek out login details from more than 383 mobile apps, including e banking apps. Although this is not the first time a postal service has been used to deliver malware, experts note that the additional overhead, namely postage, means it is still rare. Make sure to join us later today at 3:30pm Eastern for our Week in Review show. Brett Conlon, CISO at American Century Investments, will be our guest providing his expert commentary on the news of the week. And of course we encourage participation and comments through our YouTube live channel. Just go to the events page@cisoseries. To register and we will see you there. I'm Steve Prentice reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.